Akeyless SCP

Akeyless SCP enables secure copy via Secure Remote Access Bastion.



Akeyless SCP currently supports only UNIX-like OS.



  1. Download Akeyless SCP script:
curl -o akeyless-scp https://download.akeyless.io/Akeyless_Artifacts/Linux/SSH/akeyless-scp
chmod +x akeyless-scp
mv akeyless-scp /usr/local/bin
  1. Create your ~/.akeyless-sphere.rc :
# ---------------------------------------------------------------------
# Copyright © 2021  Akeyless Security LTD.
# All rights reserved
# ----------------------------------------------------------------------

# This file is a user-specific configuration file for akeyless-sphere Zero Trust Access
# it should be located in user home directory named .akeyless-sphere.rc

# identity_file - the path to the ssh-key to be signed and used for Zero Trust session (if empty, default ssh-key is used)

# cert_issuer_name - full path to the Akeyless SSH Cert Issuer to use for Zero Trust session

# profile - Akeyless CLI profile to be used

# Akeyless CLI binary (if needed)

# AKEYLESS_API_GW - URL for Akeyless API Gateway (RestAPI)

# Following are used for control service, to configure the temporary session:

# Allow caching of temp session creds

# Display connection stages

# Use SSH Agent to store user's identity keys.

The latest version of this file can be found in Akeyless official artifacts.

Set the following settings as follow:

CERT_ISSUER_NAME - Full path to the Akeyless SSH Certificates Issuer item.

AKEYLESS_PROFILE - Set the default profile that will be used from your Akeyless Command Line Interface (CLI). By default, it's using the default profile of your Akeyless CLI.

AKEYLESS_GW_REST_API - Set your Akeyless Gateway URL on port 8080 for Zero-Knowledge items and for internal network access.

BASTION_API_PROTO - Default is http. Set to https when your Secure Remote Access Bastion is configured with TLS.

BASTION_API_PORT - Default is set to 9900. Set your matching ssh-sra cluster service port.

BASTION_SSH_PORT - Default is set to 22. Set your matching ssh-sra cluster service port.

Optional when working with Load Balancers, you can set the exact FQDN of your ssh-sra service, which listens to the bastion api control port:

BASTION_API_PREFIX - Set your FQDN prefix as your load balancer settings.

BASTION_API_PATH - Set your FQDN path as your load balancer settings.

Where the URL will be set as follow:


  1. Use akeyless-SCP command to perform secure copy to remote target server via Akeyless Secure Remote Access Bastion:

Full options list:

Usage: /usr/local/bin/akeyless-scp <[email protected][:port]> via <bastion-server[:port]> [options]

optional arguments:
    --cert-issuer-name      Akeyless certificate issuer name [mandatory]
    --local-file            File to copy [mandatory]
    --remote-file           File to copy [default is '~/']
    --direction             upload/download [default is 'upload']
    --profile               Use a specific profile from your Akeyless CLI
    -i                      Selects a file from which the identity (private key) for public key authentication is read [default is '~/.ssh/id_rsa']
    --ssh-extra-args        Use to add offical SSH arguments (except -i)

For example, this command will start to copy a local file, to a remote server.

akeyless-scp [email protected] via <sra-bastion-ssh-service> --local-file /full/local/location/file --remote-file /remote/location/file